Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
Resource
win10v2004-20241007-en
General
-
Target
83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe
-
Size
2.2MB
-
MD5
bda80c569715cb4e427f9408b389238a
-
SHA1
c1982d58ce154872aced5460cd88b106dfeaa6f7
-
SHA256
83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4
-
SHA512
ee31887687504525cfe9b0ac9e079a396ba92819bdfca2eb5259bea8b900a762cf58630cd19dc2fefbffa5253a30344691438cd3d344086ef337247f2247411d
-
SSDEEP
49152:V5Oxg/TFlCpM/CWKNdDgQbHbJwzF00nVLqk6FzreoZo:V5FFlCi/n4mc7M00nVGkgzrnZo
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.210.137.6:47909
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4004-19-0x0000000000400000-0x0000000000432000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3800 123.exe 4928 321.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3800 set thread context of 4004 3800 123.exe 91 PID 4928 set thread context of 920 4928 321.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3308 3800 WerFault.exe 86 3024 4928 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 321.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4748 cmd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4068 wrote to memory of 3800 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 86 PID 4068 wrote to memory of 3800 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 86 PID 4068 wrote to memory of 3800 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 86 PID 4068 wrote to memory of 4928 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 89 PID 4068 wrote to memory of 4928 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 89 PID 4068 wrote to memory of 4928 4068 83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe 89 PID 3800 wrote to memory of 4004 3800 123.exe 91 PID 3800 wrote to memory of 4004 3800 123.exe 91 PID 3800 wrote to memory of 4004 3800 123.exe 91 PID 3800 wrote to memory of 4004 3800 123.exe 91 PID 3800 wrote to memory of 4004 3800 123.exe 91 PID 4928 wrote to memory of 920 4928 321.exe 95 PID 4928 wrote to memory of 920 4928 321.exe 95 PID 4928 wrote to memory of 920 4928 321.exe 95 PID 4928 wrote to memory of 920 4928 321.exe 95 PID 4928 wrote to memory of 920 4928 321.exe 95 PID 920 wrote to memory of 4748 920 vbc.exe 100 PID 920 wrote to memory of 4748 920 vbc.exe 100 PID 920 wrote to memory of 4748 920 vbc.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe"C:\Users\Admin\AppData\Local\Temp\83c239daead7fd351924f1580a026cc9c93115adbd9e992a1c65deabbe2701b4.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Temp\123.exe"C:\Windows\Temp\123.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 563⤵
- Program crash
PID:3308
-
-
-
C:\Windows\Temp\321.exe"C:\Windows\Temp\321.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 2963⤵
- Program crash
PID:3024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 38001⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4928 -ip 49281⤵PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD53fa22b0476827d769e2af472e068dcf2
SHA180088e35ee337f66ced69521bacd4045d723127b
SHA256e640c00779f3df1dd107495414e3498dc347a12fc61142faecd7aba7aa5918d1
SHA512500c180fea4c68af86284b0f930802f361f827454eb1edc85c02c90e8c74fe937212adcd3c1aff807b841d9f0a92ad4ba8cfdc8fc1cf6fd1e6f5ba15ef75a6f3
-
Filesize
2.9MB
MD5a774532aea9d069f6fd16a9c84ff66ac
SHA1c45a9a43ea5810f9b1e2522a9657c43e795b01dc
SHA2561dcf61a876f7ffd7fd19fe9b81f614f0b0daf2ca80d81f16275680a7e2dae9c6
SHA512ee09e845d6b889b0fac803468e2f672a1a187abcbc77652e07dcc8301fb05cca25e8121411be11b6e425e36ad851a586724da2e733516f9266493441e804b32c